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Abstract 

Recently, a few CCA2-secure (IND-CCA2) variant of the McEliece cryptosystem in the standard model were introduced. 
All these schemes are based on Rosm-Segev approach and lossy trapdoor function and utilize fc-repetition paradigm. The main 
drawback of these schemes is that they are need additional encryption and have large key size compared to the original scheme, 
which intricate the public-key size problem in the code-based cryptosystem. Furthermore, full CCA2-security of these schemes 
achieved by using a strongly unforgeable one-time signature scheme, and so, the resulting scheme need separate encryption. 
Therefore, these schemes are completely impractical. 

In this manuscript, we propose a new and efficient IND-CCA2 variant of the McEliece cryptosystem in the standard model. 
The main novelty is that, unlike previous approaches, our approach is a generic transformation and can be applied to any code- 
based one-way cryptosystem (both the McEliece and the Niederreiter cryptosy stems). Our approach also leads to the elimination 
of the encryption repetition and using strongly unforgeable one-time signature scheme. This novel approach is more efficient, 
the publick/secret keys are as in the original scheme and the enciyption/decryption complexity are comparable to the original 
scheme. CCA2-security of the proposed scheme can be reduced in the standard model to the McEliece assumptions. To the best 
of our knowledge, this is the first variant of the code-based cryptosystem that is IND-CCA2 in the standard model without using 
fc-repetition paradigm and strongly unforgeable one-time signature scheme. 

Index Terms 

Post-quantum ciyptography, McEliece cryptosystem, IND-CCA2, Permutation algorithm. Standard model. 

I. Introduction 

POST-QUANTUM cryptography (PQC) has obtained great attention in recent years. Code-based cryptography hold a great 
promise for post-quantum cryptography, as they enjoy very strong security proofs based on average-case hardness f22\, 
relatively fast and efficient encryption/decryption nature, as well as great simplicity. In code-based cryptography, there are two 
well-known public key encryption schemes, namely McEliece llT3l and Niederreiter ifTSll cryptosystems. McEliece cryptosystem 
was the first public key encryption scheme based on linear error-correcting codes. It has a very fast and efficient encryption 
procedure, but it has one big flaw: the size of the public-key. Recently, how to reduce the public -key size and how to secure 
the parameter choice in code-based cryptography are deeply explored lIU, ||3], Q, (U, lfT4l . 

The semantic security (a.k.a indistinguishability) against adaptive chosen ciphertext attacks (IND-CCA2) is the strongest known 
notion of security for the public key encryption schemes was introduced by Rackoff and Simon f^Ol. It is possible to produce 
IND-CCA2 variants of the code-based cryptosystem in the random oracle model |4J, [11 1, [12 1, however, CCA2-security in 
the standard model has not been widely discussed. To the best of our knowledge, only a few papers have touched this research 
issue. 

A. Related work 

There are two approach for constructing code-based cryptosystems in the standard model. 

• Syndrome decoding. This construction was presented by Freeman et al. [10], and used Rosen-Segev approach ||2T1 to 
introduce a correlation-secure trapdoor function related to the hardness of syndrome decoding. Their construction is based 
on Niederreiter cryptosystem. Because McEliece cryptosystem has some special structure, some general IND-CCA2 
conversions such as Rosen-Segev approach cannot be applied to the McEliece cryptosystem and it is not correlation- 
secure. Recently, Preetha Mathew et al. [19] proposed an efficient variant of the Niederreiter scheme based on lossy 
trapdoor function ifTTl . which avoids the A: -repetition paradigm. Their idea is similar to Agrawal et. al. [HI approach for 
simulation of the key-extraction phase in their proof of CPA-security of a (H)IBE in the standard model. But the details 
and computations are entirely different from [1 1 . 
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• k-repetition PKE. The first IND-CCA2 variant of the McEliece cryptosystem was introduced by Dowsley et al. |5|. They 
propose a scheme that resembles the Rosen-Segev protocol trying to apply it to the McEliece cryptosystem. This scheme 
has some ambiguity. The scheme does not rely on a collection of functions but instead defines a structure called k- 
repetition public -key encryption (PKEj.) scheme. This is essentially an application of fc-samples of the PKE to the same 
input, in which the decryption algorithm also includes a verification step on the k outputs. The encryption step produces 
a signature directly on the McEliece ciphertexts instead of introducing a random vector x as in the original Rosen-Segev 
scheme; therefore an IND-CPA secure variant of McEliece's cryptosystem is necessary to achieve CCA2-security IfTSl . 
Recently, inspired by the Rosen-Segev approach, Dottling et al. |6| showed that Nojima et al. fTSl randomized version of 
the McEliece cryptosystem is fc-repetition CPA-secure, so, it can obtain CCA2-security in the standard model by using a 
strongly unforgeable one-time signature scheme. 

Cryptosystems based on Rosen-Segev approach are less efficient. These schemes for encrypt one bit messag^H need to execute 
the original encryption algorithm k-times in the encryption phase, and t-times {t < k) in the decryption phase. However, 
the Dottling et al.'s scheme encrypts many bits as opposed to the single-bit PKE obtained from Rosen-Segev approach. The 
public/secret keys are 2k-times larger than the public/secret keys of the original scheme. All the above schemes also use 
generic transformation such as strongly unforgeable one-time signature scheme to handle CCA2-security related issues. So, the 
proposed scheme needs separate encryptions. On the other hand, all the concrete constructions of lossy trapdoor and correlated 
inputs functions are based on decisional assumptions. It is widely believed that computational assumptions are more standard 
than their decisional versions. 

B. Motivation 

To date, the existing variants of the code-based cryptosystems (either McEliece or Niederreiter) which are IND-CCA2 in 
the standard model are based on decisional assumptions such as correlated inputs and lossy trapdoor functions, and utilize k- 
repetition paradigm. In such cryptosystems, the keys are 2fc-times larger than the keys of the original scheme, which intricate the 
public -key size problem, and a message must be encrypted fc-times, so, these schemes lead to extremely large key size, ciphertext 
size, and thus incurring a huge encrypting cost. Although the Preetha Mathew et al. scheme [191 avoids fc-repetitions, but the 
encryption/decryption algorithms must be executed 2-times and the public/secret keys are larger than the original Niederreiter 
scheme. In addition, it yet uses a strongly unforgeable one-time signature scheme to achieve CCA2-security and needs separate 
encryption. Therefore, how to design an efficient IND-CCA2 code-based cryptosystem in the standard model is still worth 
of investigation. Less efficiency and impracticality of the proposed IND-CCA2 code-based schemes in the standard model 
motivate us to investigate new approach for constructing efficient such schemes in the standard model based on computational 
assumptions. 

C. Our Contributions 

To tackle the challenging issues were mentioned in the previous subsection, we introduce a randomized variant of the McEliece 
cryptosystem and proof its security in the standard model based on the McEliece assumptions. Our contributions in this paper 
are: 

• Our approach is a generic pre-coding based algorithm. The main novelty is that our approach can be applied to any 
cod-based trapdoor one-way cryptosystems. 

• This novel approach, for the first time, leads to the elimination of the encryption repetition and using strongly unforgeable 
one-time signature schemes in the IND-CCA2 variant of the code-based cryptosystems. 

• Our proposed scheme is more efficient, the publick/secret keys are as in the original scheme and the encryption/decryption 
complexity are comparable to the original scheme. 

• Our CCA2-security proof is based on the assumption that the underlying primitive is a trapdoor one-way function. So, 
the scheme's consistency check can be directly implemented by the simulator without having access to some external 
gap-oracle as in previous schemes H, (|5], (l6], ifTOl . lfT2l . |fT9l . Thus, our proof technique is fundamentally different 
from all known approaches to obtain CCA2-security in the code-based cryptosystems. 

• Unlike previous schemes, our scheme is based on computational assumptions (i.e. the McEhece assumptions) that is 
widely believed more standard than their decisional versions. 

The paper is organized as follows: in the next section, we briefly explain some mathematical background and definitions. Then, 
in Section 3, we introduce our proposed scheme. Security and performance analysis of this cryptosystem will be discussed in 
Section 4. We conclude in Section 5. 

'As in |21] we can assume m to be a single bit message, in which case that the scheme describe a hard-core predicate for the McEliece scheme, the 
protocol easily can be extend to multiple bits plaintexts. 
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II. Preliminary 

A. Notation 

We will use standard notation. If x is a string, then |x| denotes its length and Lsba(x) means the right a bits of x. If fc e N 
then {0, l}*^ denote the set of A:-bit strings, 1*^ denote a string of k ones and {0, 1}* denote the set of bit strings of finite 
length, y -f^ X denotes the assignment to y of the value x. For a set S*, s <— S* denote the assignment to s of a uniformly random 
element of S. For a deterministic algorithm A, we write x •<— A'~^{y, z) to mean that x is assigned the output of running A on 
inputs y and z, with access to oracle O. If ^ is a probabilistic algorithm, we may write x <— A'-'{y, z, R) to mean the output 
of A when run on inputs y and z with oracle access to O and using the random coins R. If we do not specify R then we 
implicitly assume that the coins are selected uniformly at random from {0, 1}°°. This is denoted x A'^{y, z). We denote 
by Pr[£J] the probabiUty that the event E occurs. If o and h are two strings of bits, we denote by a\\h their concatenation. 

Since the proposed cryptosystem is code-based, a few notations regarding coding theory are introduced. Let F2 be the finite 
field with 2 elements {0, 1}, A: G N be a security parameter. A binary Unear-error correcting code C of length n and dimension k 
or an [n, A:]-code is a fc-dimensional subspace of F" . Elements of F" are called words, and elements of C are called codewords. 
If the minimum hamming distance between any two codewords is d, then the code is a [n, fc, d] code. The Hamming weight of 
a codeword x, wt(x), is the number of non-zero bits in the codeword. For t < [^y^J, the code is said to be t-error correcting 
if it detects and corrects errors of weight at most t. Hence, the code can also be represented as a [n, fc, 2t + 1] code. The 
generator matrix G e Fj^" of a [n, k] Unear code C is a matrix of rank k whose rows span the code C. 



B. Definitions 

Definition 1 (General Decoding Problem). Given a generator matrix G G F2^" and a word m e FJ, find a codeword 
c G F2 such that e = m — cG has Hamming weight u'(e) < t . 

Definition 2 (General Decoding Assumption). Let C be an [n, k, d\-binary linear code defined by a k x n generator matrix 
G with the minimal distance d, and t < L^^J- ^« adversary A that takes an input of a word m G F2, returns a codeword 
c G . We consider the following random experiment on GDP problem. 

Experiment Exp™^ 

c G ^ ^(G,m G F^) 
if X = m — cG and wt(x) < t 

then 6 1 else 6 
return b. 

We define the corresponding success probability of A in solving the GDP problem via 

SuccS°P = Pr[ExpS°P = l]. 

Let T G N and e G [0, 1]. We call GDP to be (r, £)-secure if no polynomial algorithm A rurming in time r has success 
Succ^DP > e. 

A public -key can be defined as follows. 

Definition 3 (Public-key encryption). A public-key encryption scheme (PKE) is a triple of probabilistic polynomial time 
(PPT) algorithms (Gen, Enc, Dec) such that: 

• Gen is a probabilistic polynomial time key generation algorithm which takes a security parameter 1" as input and outputs 
a public key pk and a secret-key sk. We write {pk, sk) Gen(l"). The public key specifies the message space M. and 
the ciphertext space C. 

• Enc is a (possibly) probabilistic polynomial time encryption algorithm which takes as input a public key pk, a m € M. 

and random coins r, and outputs a ciphertext C € C. We write Enc{pk, m; r) to indicate explicitly that the random coins 
r is used and Enc(j)k,m) if fresh random coins are used. 

• Dec is a deterministic polynomial time decryption algorithm which takes as input a secret-key sk and a ciphertext C €C, 
and outputs either a message m £ Ad or an error symbol _L. We write m <s— Dec(C, sk). 

• (Completeness) For any pair of public and secret-keys generated by Gen and any message m & M. it holds that 
Dec(sfc, Enc(pfc, m;r)) = m with overwhelming probability over the randomness used by Gen and the random coins r 
used by Enc. 

Definition 4 (CCA2-security). A public-key encryption scheme PKE is secure against adaptive chosen-ciphertext attacks (i.e. 
IND-CCA2) if the advantage of any two-stage PPT adversary A = (Ai, A2) in the following experiment is negligible in the 
security parameter k: 
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,Dec(sfc,.) 



Exp^KE,^(fc)-- 

{pk, sk) Gen(l'') 

(mo, TOi, state) <— Ai 

6 ^{0,1} 

C* Enc{pk,mb) 

6'^^°^^^^'-'(C*,state) 

if 6 = 6 return 1, else return 



(pk) s.t. |mo| = |r7ii 



The attacker may query a decryption oracle with a ciphertext C at any point during its execution, with the exception that A2 
is not allowed to query Dec(s/c, .) with "challenge" ciphertext C*. The decryption oracle returns b A2°'^^^'^' '\c* , state). 
The attacker wins the game ifb — b' and the probability of this event is defined as Pr[Expp'j^| _^ (k)]. We define the advantage 
of A in the experiment as 

1 
2 



A J„IND-CCA2 



{k) 



Pr[Exp-^|_^ (fc) = 1] - ^ 



(1) 



C. McEliece cryptosystem 

The McEliece PKE consists of a triplet of probabilistic polynomial time algorithms (GenMcE, EncMcE, DecMcE)- 
System7pa^ata®tMi;swhere t n. 

Key Gfimr^ligfitake as input security parameter l'^' and generate the following matrices: 

• A fc X n generator matrix G of a code Q over of dimension k and minimum distance d > 2t + 1. (A binary 
irreducible Goppa code in the original proposal). 

» A k X k random binary non-singular matrix S 

• A n X n random permutation matrix P. 

Then, Gen compute the k x n matrix G^"** = SGP and outputs a public key pk and a secret key sk, where 

pfc (GP"'',t) and p/c = (S,L'e,P) 

where Dg is an efficient decoding algorithm for Q. 
EncrypEaoMcE(?3fc) takes plaintext m G F| as input and randomly choose a vector e G F2 wit Hamming weight wt(e) = t 
and computes the ciphertext c as follows. 

c = mGP"'^ ® e. 
DecrypTiaBidecrypt a ciphertext c, DecMcE(sfc,c) first calculates 

cP-^ = (mS)G®eP-i 
and then apply the decoding algorithm Dg to it. If the decoding succeeds, output 

(mS)S-^ 

Otherwise, output _L. 

There are two computational assumptions underlying the security of the McEliece scheme. 

Assumption 1 (Indistinguishability)ll The matrix G output by Gen is computationally indistinguishable from a uniformly 
chosen matrix of the same size. 

Assumption 2 (Decoding hardness). Decoding a random linear code with parameters n, k, w is hard. 

Note that Assumption 2 is in fact equivalent to assuming the hardness of GDP. It is immediately clear that the following 

corollary is true. 

Corollary 1. Given that both the above assumptions hold, the McEliece cryptosystem is one-way secure under passive attacks. 
^Faugere et al. showed that this assumption is not always trae for alternant and Goppa Codes, for more detail see (8] 
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III. The proposed cryptosystem 

In this section, we introduce our proposed encryption scheme. Our scheme is an efficient heuristic randomized pre-coding 
based algorithm and can be appHed to any code-based trapdoor one-way cryptosystem such as McEHece, Niederreiter and so 
on. This algorithm uses a random binary string (RBS) for encoding the message to be sent. Encoding includes a permutation 
and combination on the message bits and performs with an algorithm called permutation combination algorithm (PCA). Here, 
we illustrate our approach based on the McEliece cryptosystem. 

A. Permutation combination algorithm 

Suppose we decide to encrypt message m E {0, 1}". For perform a random encoding to the message bits, we uniformly 
choose a random binary vector x = {xi,. . . , Xn) with Hamming weight wt(x) = h such that n/h is an integer. We can divide 
m into h blocks m = (6i||62|| . . . \\bh) with equal binary length v = n/h. Then, we perform a random permutation on the 
message blocks bi,l < i < h with the following algorithm. 

Notice that for any integer s,l < s < hi — 1, s can be written as 

h 

s = Ui{h — i)\ < Ui < h — 1. 

i=l 

The sequence {ui,...,Ufi} is called factorial carry value of s. Define original sequence toq as nio = 62, • • • . 
Recombine all the elements of the original sequence mo obtain h\ — l sequences mi, ... , m(^hi-i) > which any sequence owns a 
corresponding factorial carry value. Using the factorial carry value, we can efficiently obtain any sequence ms,l < s < hi — 1 
using the following algorithm. 

Algorithm 2: Permutation Combination Algorithm (PCA). 

Input: Message mo = {bi, . . . ,bh) and a random integer s, 1 < s < /i! — 1. Output: Encoded message m' = nig = {b^, . . . , bf^). 

1) Write s as s = Y^^=i Ui{h — i)l < Ui < h — 1. 

2) For 1 < i < /i 

. if Ui = 0, 

• else 

for 1 < j < Ui, 

3) Return m^ = (6^, . . . , bfj. 

We remark that based on random binary string x, the number of the message blocks and the length of them can be variable 
and changed by x. 

We illustrate the PCA algorithm with a small example. Suppose m = (mi, . . . , mii2) and x = (xi, . . . , X112) with wt(x) = 

h = J2i=i = ^- Since /i = 8, the algorithm divides m into 8 blocks with equal length v = n/h = 112/8 = 14. So, we 

have mo = (mi, mi4 || mi5, . . . , m28 ||--- 1| mgg, . . . , mii2). We choose random integer s, 1 < s < 8! — 1, say s = 2000. 
^ V ' ^ V ' ^ V ' 

61 62 bs 

We have 

2000 = 0x8! + 0x7! + 2x6! + 4x5! + 3x4! + 1x3! + 1x2! + 0x1! 

Thus, the factorial carry value of 1)2000 is {0,0,2,4,3,1,1,0}. Compute sequence -D2000 with its factorial carry value 

{0,0,2,4,3,1,1,0}. 

{&i, &2, &3, bi, b5,b(i, fo?, bn} &i 

{62,&3,&4,&5,&6,fe7,fe8} ^ &2 

2 {b3,b4,b5,be,br,bs} b^ 

4 {63,64,66,67,68} ^ bs, 

3 {63, 64, 66, 67} 67 

1 {63,64,66} 64 

1 {63,66} -> 66 

0--{63} ^63 

The permutation of sequence £'2000 is (6i||62||65||&8||&7||&4||66||^'3)- 
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B. The proposed scheme 

Now, we are ready to define our proposed scheme 11 = (Gen, Enc, Dec). 

Key Generation. Let GenjvicE be the McEhece system generator. On security parameter 1*^, the generator Gen runs GenMcE(l'^) 
to obtain 

sk = sfcMcE and pk = p^mcE- 

Encryption. To encrypt message m G {0, l}'^, Enc(pfc): 

• Choose uniformly random binary string x = (.ti, . . . , xt) with 2 < wt(x) = < {k — 2) such that v = k/hx is an 
integer. 

• Set s — \hx/2] ■ (hx — 1)! — lH and execute PCA algorithm (IIII-AI) for generate encoded message m' = nis = 
(6^ II 62 II ■ • • W^h^) from message m. 

• Set m <~ Lsb|-fc/2] (^t* ) and compute wt(m ) = 

• Suppose X be the corresponding decimal value of x. Compute: 

Ci = X ■ hrn", C2 = EnCMcE(™',pfc) 

Decryption. Dec for retrieve message m from C = (Ci,C2), performs the following steps: 

• Computes encoded message m' as m' — DecMcE(C2, sfc). 

• Set m ^ Lsb|-fc/2] ) and compute wt(m ) = h^" 

• Computes x = Ci/hm", and reject the ciphertext if x is not an integer otherwise, checks whether 

fc= Llog2(-^)J +1 (2) 

holds, and rejects if not (consistency check). If (O holds. Computes hx ~ wt(x), s = \hx/2] ■ {hx — 1)! — 1 and v ~ k/h^. 

• The length of the message blocks, v, and the value of permutation factor s are explicit, so, Dec can extract message 
blocks hi, I < i < hx from encoded message m' via a reverse permutation. 

IV. Security proof 

In this section, we proof the CCA2-security of the proposed cryptosystem built using a pre-coding approach with the McEliece 
cryptosystem. 

Theorem 1. .• Suppose IImcE = (GenMcE: EncMcEi DecMcE) be a McEliece encryption scheme. Then, the proposed scheme 
n = (Gen, Enc, Dec) is IND-CCA2 in the standard model based on McEliece assumption. 

Proof. Suppose that C* ~ (CriC'2) be the challenge ciphertext. Let Si be the event that the adversary A wins in Game i. 
Here is the sequence of games. 

Game 0. We define Game which is an interactive computation between an adversary A and a simulator. This game is usual 
CCA2 game used to define CCA2-security, in which the simulator provides the adversary's environment. 
Initially, the simulator runs the key generation algorithm and gives the public -key to the adversary. The adversary submits 
two messages mo,rni with |mo| = |mi| to the simulator The simulator chooses b G {0,1} at random, and encrypts rub, 
obtaining the challenge ciphertext C* = (C*, C2 ). The simulator gives C* to the adversary. We denote by x*, hx' = wt(x*), 
V* — k/hx", s* — \hx''/2] ■ {hx* - 1)! - 1, m'* = m^., m"* = Lsbpfe/2] ("*'*) and /i,,„". = wt(m"*) the corresponding 
intermediate quantities computed by the encryption algorithm. The only restriction on the adversary's requests is that after it 
makes a challenge request, the subsequent decryption requests must not be the same as the challenge ciphertext. At the end 
of the game, the adversary A outputs b G {0, 1}. Let 5*0 be the event that b — b. Since Game is identical to the CCA2 
game we have that 

Pt[So]-\ =AdvXn(fc) 
by definition and, our goal is to prove that this quantity is negligible. 

Game 1. we define Game 1 as identical with Game 0, except that Ci = C* and h^" — /im"* while C2 ^ cJ3- 

In this game, the adversary Agi queries on input {C\ = Ci,hm" — hm"*) while C2 / C|. In this case, the simulator 
computes m' ~ DecMcE(C2) 7^ fn'*, x — Ci/hm" — x* and v — v* and s — s*. Although the blocks length v and the 

^For perform a complete permutation, we can choose the value of s close to the value of hx\ — 1. Here, we choose an arbitrary value of s to s = 
"^It is possible for C2 C| and therefore m' ^ m'*, m" and m"* have the same Hamming weight. 
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permutation factor s are explicit, but since m' ^ m'*, thus the simulator's outputs is not identical to the mi,. Therefore, if the 
McEliece cryptosystem is secure, then the advantage of adversary Agi in this game is negligible and we have 

|Pr[5i]-Pr[5o]|<Adv^f,nW (3) 

Game 2. Define Game 2 as identical with Game 1, except that hm" ^ hm"-. 

In this game, the adversary Ag2 queries on input (Ci = , C2 ^ C2 ) ) ^"i" 7^ ^m"* ■ In this case, the simulator computes 
to' = DecMcE(C'2) 7^ m'* , x = Ci/hmi' ^ x* , ^ h^*, v ^ v* and s ^ s* . Since m' ^ to'*, v ^ v* and s ^ s* , thus the 
simulator's outputs is not identical to to?, and so, the advantage of the adversary Ag2 in this game is negligible. 

We notice that it is possible for x ^ x*, — hx-- In this case we have v = v* , s — s* and to' 7^ to'*. As we see in the 
previous game, since to' ^ to'*, the simulator's outputs is not identical to to;, and so, the advantage of adversary Ag2 is 
negligible in this case. We have 

|Pr[52]-Pr[5i]|<Adv^f^n(fc) (4) 
Game 3. Define Game 3 as identical with Game 0, except that (C2 = Cj). 

In this game, the adversary Agz queries on input C = (Ci 7^ Cj*, C2 = C|). The simulator takes as input Ci 7^ CJ', C2 = C2 
and computes to' = DecMcE(C'2) = ™'* and x — Ci/hm"*- If x is not a fc-bit integer, then the simulator rejects C in (|2]i. 
Else, since Ci 7^ CJ", thus a; 7^ a;* and so 7^ /i^*- We have v ^ v* and s 7^ s*. Since the message blocks length v and the 
permutation factor s are not explicit, thus the simulator's outputs is not identical to rni, and so, the advantage of the adversary 
Ag3 in this game is negligible. We have 

iPiiSsl-PriS-oll < Adv^^3,n(fc) (5) 

It is possible for x ^ x* , ~ hx-- We discuss this special case in the following lemma. 
Lemma 1. There exists an efficient adversary Ag's such that: 

We can easily build an adversary Ag'3 who aims to recover to^ from Game 3. In the worst-case, we can assume for x 7^ x* 
we have hx — h^'- In this case, the simulator runs on input C = (Ci 7^ Ci,C2 — C2), — h^* and computes to' = to'*, 
X = Ci/hm", V — V* and s = s*. If x is not a fc-bit integer, then the simulator rejects C in (|2|i. Otherwise, the simulator 
return b = b and the adversary Ag'3 wins the game. 

There are exactly ( ^ — 1 cases for x ^ x* such that = h^* and so for C\ 7^ C*. The probability of succeed Ac'-i 

Pr[ExpX<^-'=)='"^ (fc) = 1] < ^ 



in this case is equal to 



k 

h-r' 



1 



With 2<hx<{k- 2), we have Pr[Exp^ ; J^^" " (fc) 1] < 1/2. So, the advantage of the adversary Ag'z is equal to 0, 
and we have 

|Pr[^3]l = :^ (6) 



Remark 1. From equation ((TJ, we have 



|Pr[ExpX'g (fc) = 1]| < ^ + AdvXJ?-^^^^ (fc). 



If the advantage of the adversaries A is equal to 0, then we have 

|Pr[ExpXn(A) = l]|<^- 

Completing the Proof: We can write 

I Pr[5o] hi Pr[5o] + PriS-o] - Pr[5o] + Pr[5i] - Pr[5i] + ¥t[S2] - ^^[82] 

+ Pr[53]-Pr[53] |. 
So we have 

|Pr[5'o]| < |Pr[53]| + |Pr[53] - Vy[So\\ + |Pr[52] - Pr[5o]| + |Pr[^2] - Pr[5i] 
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+ \PT[Si]-Pr[So]\. 

We have 

|Pr[^2] - PriSo] I < \P4S2] - Pv[Si]\ + \Pr[S,] - Pr[So] \ • (7) 
From equations Q S] |5] |6] IT) we have: 

|Pr[^o] - 1/2| < 2Adv^^'f,n(fc) + 2Adv^f ,n(fc) + Adv^^3,n(fc). 
By assumption, the right-hand side of the above equation is negHgible, which finishes the proof. 

A. Performance analysis 

The performance-related issues can be discussed with respect to the computational complexity of key generation, key sizes, 
encryption and decryption speed. The resulting encryption scheme is very efficient. The time for computing encoded message 
is negligible compared to the time for computing (EhcmcE, Dgcmce)- The public/secret keys are as in the original scheme, 
encryption roughly needs one application of EpcmcE together a multiplication, and decryption roughly needs one application 
of DecMcE together a division. The comparison of the proposed schemes with existing schemes are presented in table 2. 



Table 2. Comparison with other code-based CCA-2 cryptosystems 



Scheme 


Public-key 


Secret key 


Ciphertext 

Size 


Encryption 
Complexity 


Decryption 
complexity 


Dowsley 
et al.|6| 


2k X pkucE 


2k X skucE 


k X CiphMcE+ 
1 sign 


k X EncMcE+ 
1 or - 55 


1 \/eror-ss+ 
1 X DecMcE+ 
t X EncMcE 


Freeman 
et al.® 


2k X p/cNic 


2k X s/cNic 


k X CipllNie + 

1 sign 


k X EncNic+ 
lOT-SS 


1 Veror-55+ 
1 X DecNiG+ 

t X EnCNie 


Mathew 
et al.L18J 


1 pkmc+ 
l{n X n) 
Matrix 


2 X sk^iQ 


2 X CiphNi^H- 
1 sign 


2 X EncNic+ 
1 MM-H 

1 or - 55 


1 Veror-5S+ 

1 X DeCNie+ 

2 X EncNic+ 

1 MM 


Proposed 
Scheme 


1 pkucE 


1 S^McE 


~ lCiphMcE + ^ 


1 EncMcE+ 
PCA + IP 


1 DecMcE+ 
ID + IPCA"^ 



McE: McEliece cryptosystem, Nie: Niederreiter cryptosystem, Cipin: Ciphertext, Ver: Verification, OT — 55: Strongly 
unforgeable one-time signature scheme, P: Product, D: Division, MM: Matrix Multiplication, sign: Signature, PCA: Permutation 
Combination Algorithm (IIII-AI ). PCA^^: Reverse Permutation Combination Algorithm and t < k. 

V. Conclusion 

In this manuscript, we propose a new IND-CCA2 variant of the code-based cryptosystems in the standard model. Unlike previous 
approaches, our approach is a generic transformation and can be applied to any code-based trapdoor one-way cryptosystem such 
as the McEliece or the Niederreiter cryptosystems. This novel approach leads to the elimination of /c -repetition paradigm and 
using strongly unforgeable one-time signature scheme. The publick/secret keys of the proposed scheme are as in the original 
scheme and the encryption/decryption complexity are comparable to the original scheme, so, compared to other approaches 
were introduced today, our approach is more efficient. We showed that CCA2-security of the proposed scheme can be reduced 
in the standard model to the assumption that the underlying primitive is a trapdoor one-way function (i.e. the McEliece 
assumptions), without any change in the system parameters. To the best of our knowledge, this is the first variant of the code- 
based cryptosystems that is IND-CCA2 in the standard model without using fc-repetition paradigm and strongly unforgeable 
one-time signature scheme. 
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